Two Minute Drill: WMIDiag and Namespace Security

Hello AskPerf. Happy New Year! My name is Gangadharan Prashanth and we’re going to kick off 2009 with a quick look at WMI Namespace Security and a common error message that we see when running the WMI Diagnosis Utility (WMIDiag). When running WMIDiag, we often see an alert that looks something like this: WMIDIAG log may report default security on the WMI namespace has been changed. Open up the WMIDiag logs, and towards the end look for a section marked WMI REPORT: BEGIN. The section will look something like this:

If there are multiple namespaces that have been identified by WMIDiag, then each one will have its own entry. There are three main sections to consider in this error message. The first section tells us which namespace has had its security modified. The entry will begin with WMI namespace security for ‘ROOT/’. After ‘ROOT/’, any one of the namespaces below ROOT or the ROOT namespace itself could be the one identified. In our example above, the namespace in question is ‘ROOT/RSOP’. In this first section, we are also provided the account name whose security rights differ from the expected defaults. In this example, the account is the ‘NT AUTHORITY\NETWORK SERVICE’ account:

Permits full read, write and delete access to WMI classes and class instances, both static and dynamic

WBEM_PARTIAL_WRITE_REP

Partial Write

Permits write access to static WMI class instances

WBEM_WRITE_PROVIDER

Provider Write

Permits write access to dynamic WMI class instances

WBEM_REMOTE_ACCESS

Remote Enable

Permits access to the namespace by remote computers

WBEM_WRITE_DAC

Edit Security

Permits write access to DACL settings

WBEM_READ_CONTROL

Read Security

Permits read-only access to DACL settings

Let’s assume for a moment, that we haven’t deliberately altered the permissions on this namespace and that we want to change the permissions to match what WMIDiag reports as the expected permissions. The process is outlined in Microsoft KB Article 325353. Once you have made the requisite changes, re-run the WMI Diagnosis Utility to verify that the changes have taken effect.

And that brings us to the end of this post. Thanks for stopping by, and once again – HAPPY NEW YEAR!